System Information Discovery

Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions.

On Android, much of this information is programmatically accessible to applications through the android.os.Build class. [1] iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running.

ID: T1426
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Discovery
Platforms: Android, iOS
MTC ID: APP-12
Version: 1.2
Created: 25 October 2017
Last Modified: 11 April 2022

Procedure Examples

ID Name Description
S0525 Android/AdDisplay.Ashas

Android/AdDisplay.Ashas can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if developer mode is enabled.[2]

S0304 Android/Chuli.A

Android/Chuli.A gathered system information including phone number, OS version, phone model, and SDK version.[3]

S0310 ANDROIDOS_ANSERVER.A

ANDROIDOS_ANSERVER.A gathers the device OS version, device build version, manufacturer, and model.[4]

S0422 Anubis

Anubis can collect the device’s ID.[5]

S0540 Asacub

Asacub can collect various pieces of device information, including device model and OS version.[6]

S0529 CarbonSteal

CarbonSteal has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.[7]

S0480 Cerberus

Cerberus can collect device information, such as the default SMS app and device locale.[8][9]

S0555 CHEMISTGAMES

CHEMISTGAMES has fingerprinted devices to uniquely identify them.[10]

S0425 Corona Updates

Corona Updates can collect various pieces of device information, including OS version, phone model, and manufacturer.[11]

S0505 Desert Scorpion

Desert Scorpion can collect device metadata and can check if the device is rooted.[12]

S0550 DoubleAgent

DoubleAgent has accessed common system information.[7]

S0420 Dvmap

Dvmap checks the Android version to determine which system library to patch.[13]

S0507 eSurv

eSurv’s iOS version can collect device information.[14]

S0478 EventBot

EventBot can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.[15]

S0522 Exobot

Exobot can obtain the device’s country and carrier name.[16]

S0509 FakeSpy

FakeSpy can collect device information, including OS version and device model.[17]

S0577 FrozenCell

FrozenCell has gathered the device manufacturer, model, and serial number.[18]

S0535 Golden Cup

Golden Cup can collect various pieces of device information, such as serial number and product information.[19]

S0551 GoldenEagle

GoldenEagle has checked for system root.[7]

S0421 GolfSpy

GolfSpy can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.[20]

S0536 GPlayed

GPlayed can collect the device’s model, country, and Android version.[21]

S0406 Gustuff

Gustuff gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.[22]

S0544 HenBox

HenBox can collect device information and can check if the device is running MIUI on a Xiaomi device.[23]

S0463 INSOMNIA

INSOMNIA can collect the device’s name, serial number, iOS version, total disk space, and free disk space.[24]

S0288 KeyRaider

Most KeyRaider samples search to find the Apple account's username, password and device's GUID in data being transferred.[25]

S0485 Mandrake

Mandrake can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.[26]

S0407 Monokle

Monokle queries the device for metadata such as make, model, and power levels.[27]

S0399 Pallas

Pallas queries the device for metadata, such as device ID, OS version, and the number of cameras.[28]

S0289 Pegasus for iOS

Pegasus for iOS monitors the victim for status and disables other access to the phone by other jailbreaking software.[29]

S0326 RedDrop

RedDrop exfiltrates details of the victim device operating system and manufacturer.[30]

S0403 Riltok

Riltok can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.[31]

S0411 Rotexy

Rotexy collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.[32]

S0313 RuMMS

RuMMS gathers device model and operating system version information and transmits it to a command and control server.[33]

S0558 Tiktok Pro

Tiktok Pro can check the device’s battery status.[34]

S0427 TrickMo

TrickMo can collect device information such as network operator, model, brand, and OS version.[35]

S0418 ViceLeaker

ViceLeaker collects device information, including the device model and OS version.[36]

S0506 ViperRAT

ViperRAT can collect system information, including brand, manufacturer, and serial number.[37]

G0112 Windshift

Windshift has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.[38]

S0318 XLoader for Android

XLoader for Android collects the device’s Android ID and serial number.[39]

S0490 XLoader for iOS

XLoader for iOS can obtain the device’s UDID, version number, and product number.[39]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.

References

  1. Android. (n.d.). Build. Retrieved December 21, 2016.
  2. L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.
  3. Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.
  4. Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.
  5. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
  6. T. Shishkova. (2018, August 28). The rise of mobile banker Asacub. Retrieved December 14, 2020.
  7. A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.
  8. Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
  9. A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.
  10. B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
  11. T. Bao, J. Lu. (2020, April 14). Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.
  12. A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.
  13. R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.
  14. A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.
  15. D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.
  16. Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.
  17. O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.
  18. Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.
  19. R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.
  20. E. Xu, G. Guo. (2019, June 28). Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.
  1. V. Ventura. (2018, October 11). GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.
  2. Vitor Ventura. (2019, April 9). Gustuff banking botnet targets Australia . Retrieved September 3, 2019.
  3. A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
  4. I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.
  5. Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.
  6. R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.
  7. Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.
  8. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  9. Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.
  10. Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.
  11. Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.
  12. T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.
  13. Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.
  14. S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.
  15. P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.
  16. GReAT. (2019, June 26). ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.
  17. M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.
  18. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  19. Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.